The subject matter disclosed herein generally relates to network security as well as the security of control systems and control networks coupled to a computer network.
Computer networks and network technologies are expanding into areas where they were not previously present. For example, monitoring and/or control systems (e.g., industrial control systems) that monitor and control the operation of machinery, such as wind turbines, gas turbines, compressors, motors, generators, and other devices, have increasingly become interconnected. This interconnection may allow for sharing of information between physically separate machinery and, for example, a single monitoring station. However, as traditionally closed (i.e., non-networked) systems have become interconnected, the potential threat from cyber attacks (e.g., hacking) has also increased.
Some attempts at improving security for industrial control systems have been made. For example, control hierarchy models, such as the Purdue model, have been implemented. While these models have provided a helpful, common language for industrial control systems (“ICS”) owners, operators, and suppliers to use to frame security discussions, the implicit assumptions of static data flows, centralized control and security solely through perimeters may prove to be outdated. Indeed, advancements in both ICS technology (distributed control, smart devices, and interoperability) and increasingly sophisticated vulnerability exploitation may lead to a desire for more robust models and techniques for intrusion detection. Furthermore, emergent forces such as virtualization, collaboration/socialization, and cloud-based infrastructure/services may further call into question the adequacy of a defensive posture built solely on perimeter security (i.e., network security focused mainly on preventing entry to a system).
Additionally, further security issues may arise when the ICS is coupled to, for example, a corporate network. End Point Security is one technique that has been utilized to prevent unauthorized access to a corporate network, whereby an enterprise authenticates and scans each device or host before granting access to the corporate network. However, the explosion of consumer products, which enhance productivity yet demand increased access to the network, has led toward a model where protection at the network edge may be insufficient. Accordingly, with end users clamoring for numerous devices and constant connectivity to the enterprise, data often flows into and out of a network in an unmonitored and potentially unsecured way. Additionally, with the use of personal cloud storage and social networking, the risk for loss of or manipulation of sensitive data may prove to be significantly higher.
In view of the increased likelihood of cyber attacks to both an ICS, as well as a corporate network that the ICS may be coupled to, there is a need for increased security related to the detection of unauthorized entry to both an ICS as well as a corporate network. Therefore, it would be desirable to implement a system and techniques to overcome challenges in the art and allow for increased detection of an attempted intrusion into a network.